Saturday, July 09, 2016

So it appears that 71 million Twitter login credentials
(email addresses and passwords, all cleartext) are up for sale on the dark net.
No
indication where they came from or how fresh they are (I’ve inquired
and will update this post if I get any info).

@0x2Taylor — said in a Twitter
direct message that he and a friend “breached a server” owned by Amazon that
contained database files with more than 80,000 Kindle users’ information.

“When they first got Kindles and
set them up, all their stuff was being logged and put into a database,”
@0x2Taylor said. He added that the
database includes a user’s email, password, city, state, phone number, zip
code, user-agent, LastLoginIP, Proxy IP and street. He sent us several emails and passwords in an
effort to legitimize the breach.

“If I don’t receive a payment
from them the data will be posted online along with an older dump,” he said.

As of the time of this posting, there’s a 569mb dump with
83k records that the hacker’s uploaded. The file is dated May 25.

“Our audit focused on the FDIC’s processes for addressing
one particular type of information security incident—a breach of sensitive
information—because the incident we selected for detailed review (i.e., the
Florida Incident) was a breach. The
Florida Incident involved a former FDIC employee who copied a large quantity of
sensitive FDIC information, including personally identifiable information, to
removable media and took this information when the employee departed the FDIC’s
employment in October 2015. The FDIC
detected the incident through its DLP tool. Audit Results Although the FDIC had
established various incident response policies, procedures, guidelines, and
processes, these controls did not provide reasonable assurance that major
incidents were identified and reported in a timely manner. Specifically, we found that:

The
FDIC’s incident response policies, procedures, and guidelines did not
address major incidents.

The
large volume of potential security violations identified by the DLP tool,
together with limited resources devoted to reviewing these potential
violations, hindered meaningful analysis of the information and the FDIC’s
ability to identify all security incidents, including major incidents.

Further,
based on our analysis of the Florida Incident, we concluded that the FDIC
had not properly applied the criteria in OMB Memorandum M-16-03 when it
determined that the incident was not major. Specifically, the FDIC based its
determination on various mitigation factors related to the “risk of harm”
posed by the incident. Although
such factors have relevance in determining the mitigation actions to be
taken in addressing incidents, the factors are not among those listed in
OMB Memorandum M-16 -03 for agencies to consider when determining whether
incidents are major and, therefore, are not relevant. We notified the CIO
on February 19, 2016 that our analysis of the Florida Incident found that
reasonable grounds existed to designate the incident as major as of
December 2, 2015, and, as such, the incident warranted immediate reporting
to the Congress. The FDIC
subsequently reported the Florida Incident to the Congress as major on
February 26, 2016…”

Facebook only removes content if it celebrates or
glorifies violence, not if it’s only graphic or disturbing, according to a
spokesperson.

Facebook also insists that the video of Philando Castile’s
death was temporarily unavailable due to a technical glitch that was Facebook’s
fault. That contradicts theories that
the video disappeared due to Facebook waffling on whether it should stay up, a
high volume of reports of it containing violent content, a deletion by police
who’d taken possession of Castile’s girlfriend’s phone and Facebook account or
a request from police to remove it.

However, Facebook refused to detail exactly what caused
the glitch, such as a traffic spike. It
did release this statement, however.

…The company
suspiciously refused to detail the cause of the glitch, though a spike in
traffic is a possibility. Still, that
ambiguity stokes concerns that Facebook purposefully brought down the clip.

Even if it was a technical glitch, it’s one Facebook must
prevent from happening in the future. Live
is its chance to become a hub for real-time news that has historically ended up
on Twitter first. And with the
acquisition of Periscope, Twitter wants to control live video broadcasting,
too. Users may reach for whichever they
think is most likely to make their voice heard and not censor them.

The UK's National Crime Agency (NCA) released its Cyber
Crime Assessment 2016 this week. Designed to outline the "real and
immediate threat to UK businesses" from cyber crime, the report tells us little that is new. It argues that criminal capability is
outpacing industry's ability to defend against attacks, and suggests that
"only by working together across law enforcement and the private sector
can we successfully reduce the threat to the UK from cyber crime."

The law firm of Bryan Cave lists nine factors
entities should look at when considering the risk that litigation poses
following a breach. They note:

Specifically, unless a
plaintiff has been the victim of identity theft or has suffered some other type
of concrete injury, most courts have refused to let them proceed based solely
on the allegation that they are subject to an increased risk of harm as a
result of the breach.

They then go on to list factors to consider in assessing
risk:

Was the quantity of records lost lower, or greater,
than the average number of records involved in recent class action
lawsuits?

Were the records lost encrypted, obscured, or
de-identified?

Could the type of information lost be used to commit
identity theft?

Did patients suffer any direct monetary harm?

Has there been any evidence of actual identity theft?

Could the data loss hurt the reputation of a patient
or cause emotional distress?

If so, what percentage of impacted consumers availed
themselves of your offer?

If filed as a class action, is the class
representative’s claim of identity theft premised on unique facts?

Unfortunately, the article doesn’t indicate whether their
list of factors is ranked in order of importance/predictive value or is
just in random order. Looking at their
list, I think 3, 4, 5, and 6 may be the most predictive of whether standing
would be conferred, but I’ve written to them to ask their opinion, and will
update this post if I get a response.

Their article also lists allegations plaintiffs have
made that courts have not found sufficient to confer standing and
allegations which some courts have found sufficient to confer
standing.

…No matter where we
work in the future, Nadella says, Microsoft will have a place in it. The company’s "conversation as a
platform" offering, which it unveiled in March, represents a bet that
chat-based interfaces will overtake apps as our primary way of using the
internet: for finding information, for shopping, and for accessing a range of
services. And apps will become smarter
thanks to "cognitive APIs," made available by Microsoft, that let
them understand faces, emotions, and other information contained in photos and
videos.

…In January, The
Verge described the tech industry's search
for the killer bot. In the months
that followed, companies big and small have accelerated their development
efforts. Facebook opened
up a bot development platform of its own, running on its popular Messenger
chat app. Google announced a new
intelligent assistant running inside Allo, a
forthcoming messenger app, and Home,
its Amazon Echo competitor. Meanwhile
the Echo, whose voice-based inputs have captivated developers, is reportedly in
3
million homes, and has added 1,200 "skills" through its API.

…But to win, Lu
says, a company needs five "key assets." The first is a "conversation canvas"
— a place where people are doing lots of talking and texting. Microsoft has Office, Outlook, Skype, and
Cortana. The second is that AI
"brain" — a sophisticated mental model of the world. Microsoft says its own AI efforts date back
nearly 20 years. The third is access to
a social graph — people’s activity on the internet often involves their friends
and coworkers. Not coincidentally, a few
days after I met Lu, Microsoft announced
it would spend $26.2 billion to acquire LinkedIn, and its 433 million
registered users.

The fourth piece is a platform for the artificial
intelligence to operate on. Microsoft
has Windows and a family of devices, notably the Xbox. The final piece is a network of developers
eager to build on your platform, and to pay you for the privilege. Stoking that interest had been the primary
goal of the Microsoft Build developer conference in March.

Is the future of law enforcement? Do remotely controlled robots allow cooler
heads to determine how much force is required?

…“I’m not aware
of officers using a remote-controlled device as a delivery mechanism for lethal
force,” said Seth Stoughton, an
assistant professor of law at the University of South
Carolina who is a former police officer and expert on police methods. “This is sort of a new horizon for police
technology. Robots have been around for
a while, but using them to deliver lethal force raises some new issues.”

In May, a Tesla“autopilot” enthusiast in Florida became
the first known fatality in a self-driving car. But
this was no ordinary accident.The car performed exactly as designed, and
the (non)driver’s failure to take any corrective action could reasonably have
been foreseen by the manufacturer. This
unwelcome yet widely anticipated milestone may set back progress on what
promises to be one of the most valuable technologies of the 21st century.

…The National
Highway Traffic Safety Administration is soon expected to issue rules that will mandate transponders for all new cars
and most trucks.This
will permit vehicles to broadcast their speed, heading and braking status to
anyone or anything within 300 meters, which is well beyond the range of current
onboard sensors. These devices, called
“V2V” (vehicle-to-vehicle) communicators, can see around corners and convey a
driver’s intent (such as, say, an impending left turn), along with other
relevant information.

…The potential
economic and social benefits of self-driving technology are difficult to
overstate. When the taxi you summon
arrives within seconds and doesn’t require a driver, personal transportation
will be far more convenient and much cheaper. You won’t want to own (or insure) your own
car. Garages will go the way of
outhouses, and the 14% of Los Angeles real estate devoted to parking can be
repurposed for higher uses.

…In the fatal
self-driving accident in Florida, the car failed to recognize that a truck
traveling in the other direction was about to make a left turn in front of it. Tesla pointed out that the driver also failed
to take corrective action. As the
company said in a statement, “When
drivers activate Autopilot, the acknowledgment box explains, among other
things, that Autopilot is an assist feature that requires you to keep your
hands on the steering wheel at all times.”

This disclaimer may mitigate Tesla’s liability, but it’s
simply not practical to ask passengers in a self-driving vehicle to remain
alert and engaged. Reports from the
accident scene in Florida suggest that the driver may have been watching a
“Harry Potter” movie on a portable DVD player at the time.

The risk now is that politicians and government agencies,
reacting to such unfortunate incidents, will enact a hodgepodge of new
regulations that will hamper the development and adoption of the technology.

A recent survey, reported in SC Magazine, found
that 24% of surveyed LinkedIn users have connected with people they didn’t know
on the professional social network, despite
LinkedIn’s repeated warnings not to do so. Why is this an issue?

The smartphone is an invaluable tool for
capturing data wherever you are.

No matter what you’re researching or what real-world
information you need to save,

Maybe, you are a university student who needs to
archive newspaper clippings on microfiche, an archivist that wants to save a
page or two from an antique book, or a web researcher who needs to archive
emails and web pages?

…Via
ProPublica: “New Jersey‘s Student Loan Program is ’State-Sanctioned Loan-Sharking’.”[Hey!It’s New Jersey, what else did you
expect?Bob]

…Via
the Texas Tribune: “Three University of Texas at Austin
professors sued their university and the state on Wednesday, claiming Texas’
new campus
carry law is forcing the school to impose ‘overly-solicitous,
dangerously-experimental gun policies’ that violate the First and Second
Amendments.”

[From the article:

"Compelling professors at a
public university to allow, without any limitation or restriction, students to
carry concealed guns in their classrooms chills their First Amendment rights to
academic freedom," the lawsuit says.

…Michigan State University
has dropped
its general ed requirement that students take college-level algebra.

…Via
the Milwaukee Wisconsin Journal Sentinel: “Over the past three decades,
state and local expenditures on prisons and jails have
increased more than three times as fast as spending on elementary and secondary
education, according to a new brief released Thursday by the U.S. Department of
Education.”

A new study conducted by the Ponemon Institute and
sponsored by password management provider Keeper Security analyzed the state of
cybersecurity in small and medium-sized businesses (SMBs) and found that
confidence in SMB security is shockingly low (just 14% of the companies
surveyed rated their ability to mitigate cyber attacks as highly effective).

50
percent of respondents reported that they had data breaches involving
customer and employee information in the last 12 months.

Three
out of four survey respondents reported that exploits have evaded their
anti-virus solutions.

59%
of respondents say they have no visibility into employees' password
practices and hygiene.

65%
do not strictly enforce their documented password policies.

The scale of a breach is very difficult to measure
quickly, as articles like this consistently illustrate.

Remember when Wendy’s updated its breach disclosure in May
to report that it was 300 stores
impacted? They subsequently revealed
that they had found two types of malware and the number of impacted stores
could be “considerably higher.”

…Wendy’s first reported unusual payment card
activity affecting some restaurants in February 2016. In May, we confirmed that we had found
evidence of malware being installed on some restaurants’ point-of-sale systems,
and had worked with our investigator to disable it. On June 9th, we reported that we
had discovered additional malicious cyber activity involving other restaurants.
That malware has also been disabled in
all franchisee restaurants where it has been discovered. We believe that both criminal cyberattacks
resulted from service providers’ remote access credentials being compromised,
allowing access – and the ability to deploy malware – to some franchisees’
point-of-sale systems.

“It knows too much,” says Wang, an assistant professor of
computer science at Binghamton University in Upstate New York. “If you are
using a smart watch, you need to be cautious.”

He would know. Wearable
devices can give away your PIN number, according to research he and colleagues
presented in June at the 11th annual Association for Computing Machinery
Asia Conference on Computer and Communications Security (ASIACCS) in
Xi’an, China. By combining smart watch sensor data with an algorithm to infer key entry
sequences from even the smallest of hand movements, the team
was able to crack private ATM PINs with 80 percent accuracy on the first try
and more than 90 percent accuracy after three tries.

…“Retailers have
been caught out by bad data
architecture.You should
never store sensitive information on a network that third-party vendors have
access to. Create a systematic classification categorizing what’s sensitive and
what’s not,” suggests Yoo.

Daniel
Garrie, CEO of consulting firm Law & Forensics and senior advisor at
Risk Assistance Network and Exchange (RANE), suggests to his retail clients to go as far as providing cybersecurity to
the vendors themselves.“I
tell my clients you need to secure them. Spending any amount of money is worth
it if these are vendors you can’t live without.”

Just a few years ago,
end-to-end encryption was a nerdy niche: a tiny collection of obscure software
let you encrypt communication so only your recipient could read it, but the
vast majority left you no option to hide your words from hackers or
eavesdroppers. This year, that balance
shifted. And now, roughly 900 million
more people are about to be invited into the crypto club.

On Friday, Facebook plans to roll out a beta version of a new feature
it calls “secret conversations.” It’s
encrypted messages, end-to-end, so that in theory no one—not a snoop on your
local network, not an FBI agent with a warrant, not even Facebook itself—can
intercept them. For now, the feature
will be available only to a small percentage of users for testing; everyone
with Facebook Messenger gets it later this summer or in early fall.

I’ll use this the next time I teach Statistics. Isn’t the question wrong? Did insurance rates change for these
drivers?

Three years ago, the insurance
industry set up ten covert speed cameras across Northern Virginia to photograph
and access the personal information of 65,000 drivers. A motorist rights group is crying foul. The Insurance Institute for Highway Safety
(IIHS) gathered all of this data to make a political point.

“The association between higher speed
limits and faster vehicle speeds is well-established, but not as much is known
about how horsepower affects travel speeds,” wrote in a May 24 report.

The report was made possible by
the 2014 decision of Virginia Department of Motor Vehicle Commissioner Richard
D. Holcomb to release vehicle identification number (VIN), age and sex
information from the records of 65,000 vehicle owners. IIHS compared this personal information
against the facial photograph captured by the industry’s speed cameras to conclude
that vehicles “packing more horsepower” drive faster than the posted speed
limit.

[…]

“Why precisely the insurance industry advocates felt the need to capture
facial images of drivers and compare that to personal data in DMV records is a
mystery,” NMA president Gary Biller told TheNewspaper. “Identifying drivers isn’t germane to the
horsepower versus speed question.”

Indeed. And they
could have let me know so that I could comb my hair before blowing off their
speed limits in my little sports car.

Iris Scans, Palm Prints, Face Recognition Data, and More
Collected From Millions of Innocent Citizens – “The FBI, which has created
a massive database of biometric information on millions of Americans never
involved in a crime, mustn’t be allowed to shield this trove of personal
information from Privacy Act rules that let people learn what data the
government has on them and restrict how it can be used. The Electronic Frontier Foundation (EFF) filed
comments today with the FBI, on
behalf of itself and six civil liberties groups, objecting to the agency’s request to exempt the Next Generation Identification (NGI) database from key provisions
of federal privacy regulations that protect personal data from misuse and
abuse. The FBI has amassed this database
with little congressional and public oversight, failed for years to provide
basic information about NGI as required by law, and dragged its feet to disclose—again,
as required by law—a detailed description of the records and its policies for
maintaining them. Now it wants to be
exempt from even the most basic notice and data correction requirements…”

(Related) “We’re
going to do it, but we don’t know what we’re going to do yet.”

Interior Minister Arye Dery
announced on Thursday that starting next year, joining the biometric database
will be obligatory.

“From now on anyone obtaining a
document from the Interior Ministry, whether an ID card or a passport, will
receive a biometric one. We’ve decided on having this database and we’ll soon
decide what will be included in it,” Dery said at a ceremony marking
the millionth person to join the biometric database, which was held at the new
Population and Immigration Authority office in south Tel Aviv.

So with the U.S.
banking sector also embracing biometrics and with everyone’s Social
Security number already have been leaked or compromised in numerous breaches,
can the U.S. be far behind in switching to biometrics for identity
authentication?

And if so, isn’t it even more important, then, that the
FBI not be able to exempt the biometrics database from Privacy Act
protections? Have you signed EFF’s
petition on this? If not, go
do so right now.

Last week, Facebook offered a peek into the philosophy
governing its News Feed algorithm, the piece of software that decides which
posts are shown to people when they log into the platform’s app or homepage. The announcement was more than just academic. One in five
adults worldwide use Facebook, and 44 percent of Americans
get their news from the platform. If traditional agenda-setting news barons like
Rupert Murdoch count as powerful, then surely the News Feed algorithm wields
influence, too. In fact, its algorithm
may be one of the most powerful pieces of software in the world.

Which makes the ideas governing such a piece of software
extra-important. These particular ideas
came in a blog post entitled “News Feed Values,”
written by Adam Mosseri, a Facebook vice president and the product manager of
the News Feed. The post is a list of
broad principles and vague promises that users should expect from their News
Feed. It was at once a piece of
marketing and—more interestingly—a set of operational ethics, a kind of guide
to what Facebook values when it decides to alter the feed.

“Wave after wave of digital innovation has introduced a
new set of influences on the public’s news habits. Social media, messaging apps, texts and email
provide a constant stream of news from people we’re close to as well as total
strangers. News stories can now come
piecemeal, as links or shares, putting less emphasis on the publisher. And, hyper levels of immediacy and mobility
can create an expectation that the news will come to us whether we look for it
or not. How have these influences shaped
Americans’ appetite for and attitudes toward the news? What, in other words, are the defining traits
of the modern news consumer?A new, two-part survey by Pew Research Center,
conducted in early 2016 in association with the John S. and James L. Knight
Foundation, reveals a public that is cautious as it moves into this more
complex news environment and discerning in its evaluation of available news
sources…”

…Augmented
reality (AR) refers to devices that combine elements of the real world
with virtual aspects laid over it. This
often manifests itself in using your phone’s camera to display the “real world”
with a virtual overlay, though not always.

…VR essentially
boils down to: creating an entire world within virtual space. Whereas augmented reality relies on input from
the “real world”, virtual reality aims to create its own distinct and separate
world.

Snooping on personal staff data,
including SIN numbers, salaries and spouse names, led to a SaskPower employee
being fired in January.

According to a report released in
June by the Saskatchewan Information and Privacy Commissioner, Ron Kruzeniski,
the employee inappropriately accessed 4,382 human resources files from current
and former employees at the Crown-owned company.

The report said the information
included names, addresses, social insurance numbers, salaries and life
insurance coverage and beneficiaries.

SaskPower concluded that the breach was due to the
employee searching network drives. The
report says the employee then previewed and saved to the files to his corporate
workstation without a business purpose.

The employee also put the files onto portable storage
devices.

…SaskPower
has improved systems security including locking affected network folders so
they can only be accessed by authorized users, the report says.

I don’t get the attraction, but is this a Security risk
for children?Sure sounds like it.

Australian cops to Pokemon fans: Do not come looking for
Pikachu in our police station

The new smartphone app Pokémon Go begins with a warning
screen.

Pokémon Go simply wants its players to avoid physical
trauma.

Played on a smartphone screen in lieu of a Game Boy or
other handheld console, Pokémon Go uses cameras and GPS to construct an
augmented reality in which collectible 3-D monsters float over physical
locales.

To collect these digital critters, you have to get off the
couch, get outside and track them down.

…The
team behind Pokémon Go — developers Niantic Labs and video game giant
Nintendo — is concerned that you may walk off a bridge, for instance, while you
are engrossed in a real-world hunt for the digital critters.Recognizing that the app, which launched in
the United States late Wednesday, may encourage the sort of obliviousness
that comes when noses are buried in smartphones, other groups began issuing
their own warnings, too.

This should interest both my Computer Security and Data
Management students.

According to the company’s Risky Business Report, only 28% of CISOs
conduct regular exercises to categorize and value the data within the company,
which allows them to evaluate the risk associated with the loss of this data. In fact, 17% of surveyed business executives
say they didn’t take action in this regard, while 55% of them have taken
partial action, the report (PDF) reveals.

What’s more, 40% of responding CISOs said they have no
clear view into the location and nature of their information assets, IRM says. The risks associated with poor knowledge of
the value of data include difficulties in building an effective protection
strategy, or in determining the amount that should be invested in data
protection solutions, Charles White, Founder and CEO of IRM, warns.

Findings in the report are in line with thoughts from SecurityWeek
columnist Rafal Los, on what he believes is the most
important security question nobody seems to be able to answer: “What
is your organization’s sensitive data, and where is it?”

A new film gives a frightening look at how the US used
cyberwarfare to destroy nukes

…A fascinating
new documentary film by Alex Gibney called "Zero Days" that premieres on
Friday tells the story of Stuxnet, along with the frightening takeaway that,
while this was the first cyber weapon, it will certainly not be the last.

The code made its way into the facility and infected the
specific industrial control systems the Iranians were using. Once it turned itself on about 13 days after
infection, it sped up or slowed down the centrifuges until they destroyed
themselves — all while the operators' computer screens showed everything was
working as normal.

…The most
incredible revelation from the film comes from Gibney's NSA source, who talks
about a much larger operation than Stuxnet. It's a news-breaking claim that The New York
Times has
since corroborated: The US had an in-depth cyber attack plan that
was much larger than Natanz.

"We were inside, waiting, watching," the source
says. "Ready to disrupt, degrade,
and destroy those systems with cyber attacks. In comparison, Stuxnet was a back alley
operation. NZ was the plan for a full
scale cyber war with no attribution."

NZ is the acronym for a separate operation called Nitro
Zeus, which gave the US access into Iran's air defense systems so it could not
shoot down planes, its command-and-control systems so communications would go
dead, and infrastructure like the power grid, transportation, and financial
systems.

…Now there is
a new weapon that can do a better job at destruction than bombs.
But the difference between
highly-controlled nuclear materials and computer code, is that anyone — and any
state — can develop it.

“It seems pretty reasonable to think that there are things
out there today that we haven’t seen that are much more advanced [than
Stuxnet]," O'Murchu told TI in a phone interview.

We'll just have to wait and see who uses it next.

What am I missing?Did the Post suddenly turn on Hillary?This does not read like a typical Post article.

…The social media
app that’s popular with the youngest Millennials is now booming with older
people: Now 38% of people ages 25 to 34
use the flighty picture-sharing app, according to an online report — a 100%
increase from just two years ago. And
14% of people over 35 use the app, too — which represents a 35% jump.

At this point, the only adults not using Snapchat are the
ones who don’t get it. So let this bona
fide Millennial — I’m 18 — explain it to you old folks:

Periscope is a live-streaming app owned by Twitter that
allows users to broadcast moments of their lives with followers across the
globe. Viewers can interact with
broadcasters through comments, and live streams can be shared through social
media much like any other kind of photo or video post.

Kari Hershey, an attorney for
AAIR, said the disturbance was first noticed when they had trouble accessing a
few of the documents.

[…]

“They weren’t able to track
exactly what the hackers did, but what they did find was a draft of the ransom
letter on the system,” Hershey said.“The
way it was explained to me is that it essentially looked like the hackers were still testing out the ransomware.”

Because the ransomware was still
in its early stages, there is no evidence that any of the information on the
system has been copied or used in any way, although it did pass through a
password protected firewall. Hershey
said they would expect to know if sensitive information was harvested by this
point in the investigation.

“Having said that, there was a breach of the system. Just out of an abundance of caution, we do
want people to sign up for an identity theft protection program. That way if they do have a problem they can
get help.”

An appeals court has ruled that a former employee of a
company, whose computer access credentials were revoked, had acted “without
authorization” in violation of the Computer Fraud and Abuse Act, when he and
other former employees used the login credentials of a current employee to gain
access to data on the employer’s computers.

The opinion of the court is likely to be controversial as
it is expected to have implications on commonplace sharing of passwords by
husbands, co-workers and friends even for innocuous purposes.

One of the three judges, Stephen Reinhardt, dissented from
the majority opinion, stating that “people frequently share their passwords,
notwithstanding the fact that websites and employers have policies prohibiting
it.”

The CFAA in his view “does not make the millions of people
who engage in this ubiquitous, useful, and generally harmless conduct into
unwitting federal criminals.”

Microsoft has published a paper that proposes a series of
recommended 'norms' of good industry behavior in cyberspace, and also a route
towards implementing and achieving those norms. Most of the norms are uncontentious and
self-evident - but one in particular (which is a form of 'responsible
disclosure') is less so. Furthermore,
the key feature in implementing these norms (the attribution of attacks to
attackers) is particularly troublesome.

From
Articulation to Implementation: Enabling progress on cybersecurity norms
was developed by a team led by Scott Charney, Microsoft's
Corporate Vice President for Trustworthy Computing.

…When Dave closes
a deal he takes the team out for beers, treats his family to a nice dinner out
and brags about it on his social media accounts.

…Amy, in your
accounting department has a different social media presence

She blogs regularly on Tumblr and posts selfies on
Instagram while in pensive poses when problems overwhelm her.

Both Dave and Amy represent major risks for your company.

…Dave is a bit of
a braggart and read his tweets with interest. When he tweets about beating his toughest
competitor in a sales presentation and landing a big contract, the investors buy.

Dave has
given them insider informationand doesn't even know it.

…Employees who
follow Amy's social media accounts sense that there's something wrong. They see her stress level increasing, note the
workload on her desk and worry about their own future. Productivity drops. Rumors start. Bad things happen.

…Both Dave and
Amy have innocently been doing what millions of people do every day - they have
been posting about their personal lives on their social media accounts. But what they haven't realized - and what may
affect your company - is that what they write, post or repeat on social media
can cause employee problems, productivity issues and even financial damage.

It's because your company doesn't have a social media
policy. In today's world you need to be
aware of, or perhaps even control, what is said on your employee's Facebook,
Twitter, Instagram or even Pinterest accounts.

…The ability to
deploy only assets as needed based on workload is a big one. This means a company has the ability to flex
up, adding devices as needed when its workforce grows. More importantly, however, is the ability to
flex down. The problem with the
traditional PC procurement model is companies that decrease the size of their
workforce due to seasonal changes, layoffs, or the like, have to deal with the
surplus of PCs (and sunk costs) that result. In a DaaS model, the provider takes back those
devices, potentially redeploying them with another client.

I wonder if it would recognize all the hand gestures I
learned back in New Jersey?If so, would
it try to run me down?

Tuesday, July 05, 2016

I can’t say I’m surprised, but it’s nice to get some
confirmation. Alastair Sharp and Allison
Martell of Reuters report that the Federal Trade Commission is investigating
Avid Life, parent company of Ashley Madison.

But what is the scope of their investigation. Executives admitted to Reuters that the use of
“fembots” is part of the investigation, which makes sense under the FTC’s
authority to address deceptive practices. But is FTC also investigating their data
security in light of their massive
breach? I would hope so. Avid Life executives told Reuters they still
don’t know how the breach occurred.

I expect that this investigation will result in a consent
order with a whopping monetary component to reimburse consumers who were duped
by fembots, but we’ll see in time.

An Android-based
malware campaign masterminded from China has snared as many as 85 million
Android devices and is making the gang behind it an estimated $1m every
quarter.Security software
and services company Check Point claimed that it has had its eye on the Yingmob
gang for five months, describing it as sophisticated, well-staffed and highly
profitable. Its tool of choice
is a piece of malware called HummingBad, and the group works alongside an
official advertising analytics company, according to Check Point's From HummingBad to
Worse report (PDF)."HummingBad is
a malware Check Point discovered in February 2016 that establishes a persistent
rootkit on Android devices, generates fraudulent ad revenue, and installs
additional fraudulent apps," Check
Point explained in a blog post.

June 29, 2016: “Terrorist attacks in Paris and San
Bernardino have sparked a public debate on the use of encryption in our society
because the attackers used encrypted communications to evade detection, a
phenomenon known as “going dark.” Today,
the Majority Staff of the House Homeland Security Committee released a new
report entitled, Going Dark, Going Forward: A Primer on
the Encryption Debate. This first
Congressional in-depth analysis of the issue summarizes the Committee’s findings, based on more than 100 meetings and
briefings Committee staff and Members have held with key
stakeholders over the past year. In
addition to providing insight into arguments on all sides of the encryption
debate, the report lays the groundwork for a National Commission on Security and Technology
Challenges proposed by Homeland Security Chairman Michel McCaul (R-TX) and
Senator Mark Warner (D-VA). The bipartisan
Commission has broad support from former and current Administration officials,
national security leaders, law enforcement, and the tech industry, and will
help to forge a general concurrence of opinions, informed by a common
understanding of the underlying facts. Ultimately
this effort will provide a better understanding of digital security issues for
Congress and the American public. The
report released today will help inform and advance debate that centers around
balancing personal cyber security and national security.”

…Since its
founding five years ago, Snapchat has become a digital mecca for high school
and college-age students, allowing them to send photos and videos that disappear
in a matter of seconds. It has amassed
150 million daily active users, said a person familiar with the matter.

Snapchat also has been a refuge from parents. Until lately, that is.

Now, the “olds” are arriving in force, whether they are
parents spying on their kids, or professionals trying out another social-media
platform.

That’s how long the House select committee’s investigation
into the 2012 Benghazi attacks lasted, exceeding the amount of time
high-profile Congressional committees spent digging into Watergate, the
assassination of John F. Kennedy, the Sept. 11 attacks and Pearl Harbor. [AJC]

20,000 pounds of cheese

Crime of the century in Wisconsin: 20,000 pounds of cheese
from U.S. Foods, en route from Green Bay to New York, was stolen. [The
Associated Press]

The world changes again.The Saudis had the most accessible oil early in the last century.Then Russia figured out how to extract oil
when wells could freeze.Now with shale
extraction, the US looks big.Still,
there is only 70 years of oil left at the current rate?

The analysis of 60,000 fields worldwide, conducted over a
three-year period by the Oslo-based group, shows total global oil reserves at
2.1tn barrels. This is 70 times the current production rate of
about 30bn barrels of crude oil a year, Rystad Energy said on Monday.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.